k8s-security-policies
Implement Kubernetes security policies including NetworkPolicy, PodSecurityPolicy, and RBAC for production-grade security. Use when securing Kubernetes clusters, implementing network isolation, or enforcing pod security standards.
79
68%
Does it follow best practices?
Impact
95%
1.21xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./tests/ext_conformance/artifacts/agents-wshobson/kubernetes-operations/skills/k8s-security-policies/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly identifies its domain (Kubernetes security), lists specific capabilities (NetworkPolicy, PodSecurityPolicy, RBAC), and includes an explicit 'Use when' clause with natural trigger terms. It uses proper third-person voice and is concise without being vague. One minor note is that PodSecurityPolicy is deprecated in favor of Pod Security Standards/Admission, but this is a content accuracy issue rather than a description quality issue.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: implementing NetworkPolicy, PodSecurityPolicy, and RBAC. These are distinct, well-defined Kubernetes security mechanisms rather than vague abstractions. | 3 / 3 |
Completeness | Clearly answers both 'what' (implement NetworkPolicy, PodSecurityPolicy, and RBAC for production-grade security) and 'when' (explicit 'Use when' clause covering securing clusters, implementing network isolation, or enforcing pod security standards). | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'Kubernetes', 'security policies', 'NetworkPolicy', 'PodSecurityPolicy', 'RBAC', 'network isolation', 'pod security standards', 'securing Kubernetes clusters'. Good coverage of both specific resource names and general intent terms. | 3 / 3 |
Distinctiveness Conflict Risk | Highly specific to Kubernetes security policies with distinct triggers like NetworkPolicy, PodSecurityPolicy, RBAC, and pod security standards. Unlikely to conflict with general Kubernetes deployment skills or generic security skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
37%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides excellent, executable YAML examples covering a broad range of Kubernetes security topics, making it highly actionable. However, it suffers from being a monolithic reference catalog with no workflow sequencing or validation steps, which is critical for security policy implementation. Significant verbosity (redundant Pod Security Standards examples, generic compliance checklists, explanatory sections) wastes token budget without adding value Claude doesn't already possess.
Suggestions
Add a clear implementation workflow with sequenced steps and validation checkpoints, e.g.: '1. Apply default-deny NetworkPolicy → 2. Verify with kubectl describe → 3. Add specific allow rules → 4. Test connectivity → 5. Apply Pod Security Standards → 6. Verify pods still schedule correctly'
Consolidate the three nearly-identical Pod Security Standards examples into a single template with a note that only the label value changes (privileged/baseline/restricted), saving ~30 lines
Move the OPA Gatekeeper, Istio, and compliance framework sections to referenced files, keeping SKILL.md as a concise overview with links to detailed guides
Remove the 'Purpose', 'When to Use This Skill' prose, and the generic best practices/compliance lists that Claude already knows—replace with a brief one-liner and focus on the concrete, non-obvious implementation details
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~300 lines, with significant redundancy. The three Pod Security Standards examples are nearly identical (differing only in one label value). The compliance frameworks section lists generic advice Claude already knows. The 'When to Use This Skill' and 'Purpose' sections restate the same information. Much content could be condensed or moved to reference files. | 1 / 3 |
Actionability | The skill provides fully executable, copy-paste ready YAML manifests for every major concept: NetworkPolicy, RBAC, Pod Security Context, OPA Gatekeeper, and Istio policies. The troubleshooting section includes concrete kubectl commands. All examples are complete and deployable. | 3 / 3 |
Workflow Clarity | There is no sequenced workflow for implementing security policies. The content is a reference catalog of YAML snippets without any ordering, validation checkpoints, or feedback loops. For security policy implementation—which involves destructive/critical operations—there should be explicit steps like 'apply default deny first, then verify connectivity, then add allow rules.' Missing validation caps this at 1. | 1 / 3 |
Progressive Disclosure | References to external files exist (assets/network-policy-template.yaml, references/rbac-patterns.md) and related skills are mentioned, which is good. However, the main file is a monolithic wall of YAML examples that should be split—the OPA Gatekeeper, Istio, and compliance sections could easily be separate reference files, keeping the SKILL.md as a concise overview. | 2 / 3 |
Total | 7 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- Dicklesworthstone/pi_agent_rust
- Commit
47823e3
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.